enable-mixed-sandbox option

atom/app/atom_main_delegate.cc

@@ -125,11 +125,16 @@ void AtomMainDelegate::PreSandboxStartup() {
   // Only append arguments for browser process.
   if (!IsBrowserProcess(command_line))
     return;
-
-  if (command_line->HasSwitch(switches::kEnableSandbox)) {
-    // Disable setuid sandbox since it is not longer required on linux(namespace
-    // sandbox is available on most distros).
-    command_line->AppendSwitch(::switches::kDisableSetuidSandbox);
+  
+  if (!command_line->HasSwitch(switches::kEnableMixedSandbox)) {
+    if (command_line->HasSwitch(switches::kEnableSandbox)) {
+      // Disable setuid sandbox since it is not longer required on linux(namespace
+      // sandbox is available on most distros).
+      command_line->AppendSwitch(::switches::kDisableSetuidSandbox);
+    } else {
+      // Disable renderer sandbox for most of node's functions.
+      command_line->AppendSwitch(::switches::kNoSandbox);
+    }
   }
 
   // Allow file:// URIs to read other file:// URIs by default.

atom/browser/web_contents_preferences.cc

@@ -108,14 +108,11 @@ void WebContentsPreferences::AppendExtraCommandLineSwitches(
   command_line->AppendSwitchASCII(switches::kWebviewTag,
                                   webview_tag ? "true" : "false");
 
-  if (IsSandboxed(web_contents)) {
-    // pass `--enable-sandbox` to the renderer so it won't have any node.js
-    // integration.
+  // If the `sandbox` option was passed to the BrowserWindow's webPreferences,
+  // pass `--enable-sandbox` to the renderer so it won't have any node.js
+  // integration.
+  if (IsSandboxed(web_contents))		
     command_line->AppendSwitch(switches::kEnableSandbox);
-  } else {
-    // Disable renderer sandbox for most of node's functions.
-    command_line->AppendSwitch(::switches::kNoSandbox);
-  }
 
   if (web_preferences.GetBoolean("nativeWindowOpen", &b) && b)
     command_line->AppendSwitch(switches::kNativeWindowOpen);

atom/common/options_switches.cc

@@ -138,6 +138,9 @@ namespace switches {
 // Enable chromium sandbox.
 const char kEnableSandbox[] = "enable-sandbox";
 
+// Enable sandbox in only remote content windows.
+const char kEnableMixedSandbox[] = "enable-mixed-sandbox";
+
 // Enable plugins.
 const char kEnablePlugins[] = "enable-plugins";
 

atom/common/options_switches.h

@@ -74,6 +74,7 @@ extern const char kWebviewTag[];
 namespace switches {
 
 extern const char kEnableSandbox[];
+extern const char kEnableMixedSandbox[];
 extern const char kEnablePlugins[];
 extern const char kPpapiFlashPath[];
 extern const char kPpapiFlashVersion[];